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CONGRESSIONAL TRANSCRIPTS 
Congressional Hearings 
June 29, 2006 



House Veterans' Affairs Committee holds Hearing on VA 
Data Security Breach 



LIST OF SPEAKERS 



NICHOLSON: 

Good morning, everyone. 

I just want to make a statement here before we get started to announced that 
(inaudible) it has just been confirmed to me by the... 

BUYER: 

Mr. Secretary, are you holding a press conference in here? Are you starting having a — 
the hearing hasn't started yet. 

NICHOLSON: 

... the attorney general of the United States that the subject hard drive laptop computer 
that was stolen from an V.A. employee's home has been recovered. It's confirmed that 
that has been recovered. 

The investigation continues to see whether or not this information has been 
compromised in any way or copied. There is reason, however, to be optimistic. 

I want to thank the law enforcement community that's been involved in this. They've 
done a terrific job of collaboration between our own inspector general at the V.A., the 
local police and the Federal Bureau of Investigation. 

So it's a very positive note in this very tragic, epic event. 

(UNKNOWN) 

Mr. Secretary, does this let you off the hook, do you think? 
Mr. Secretary, does this let you off the hook? 
(CROSSTALK) 

(UNKNOWN) 

He started a press conference in our hearing room, so I can ask him questions. He acts 
as if he recovered the stolen data. 

(UNKNOWN) 

But in all fairness... 

(UNKNOWN) 

No. 

(UNKNOWN) 

Let's let the chairman decide. Let's let the chairman decide. 
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(UNKNOWN) 

The secretary wants to make a statement to the press before we begin here. (OFF- 
MIKE) 

BUYER: 

The House Committee of the Veterans' Affairs Committee will come to order, June 
29th, 2006. 

This morning we will continue our examination of the data theft and information 
security at the Department of Veterans Affairs. The catalyst of this examination was the 
compromise in May of data belonging to as many as over 26 million veterans, 2.2 million 
servicemembers and some family members. 

The purpose of our oversight has focused on obtaining as much of the understanding as 
possible. It has included a business roundtable with information and experts. We've had 
seven hearings, including two subcommittee hearings. 

This is nothing less than a full examination of the information management systems of 
the Department of Veterans Affairs. What we learn here will inform us of our efforts to 
make whole any veteran harmed by the theft of personal information and assure the 
security of veterans' personal information. 

Over the past month, this committee has brought in over 17 witnesses to examine the 
loss of data, the current structure of informational security as an extension of the structure 
of information technology, and options regarding credit monitoring and information 
security. 

Witnesses have included Secretary Nicholson, the V.A.'s inspector general, general 
counsel. Experts from the GAO, academic, and experts from the field of data security, 
information technology management and identity theft have testified. 

Additionally, the Subcommittee on Disability Assistance and Memorial Affairs held a 
joint hearing with the Subcommittee on Economic Opportunity on June 20th to review 
data security in the Veterans Benefits Administration. 

The Subcommittee on Health held a hearing on June 21st to review the security on 
medical information in the Veterans Health Administration. 

Today's hearing is a capstone of that. 

Mr. Secretary, I want to thank you for being here this morning. We look forward to 
hearing what steps the department has taken to mitigate the second-largest breach of 
personal data in American history and how we're going to help our veterans. 

We are interested in learning, as well, what the V.A. is doing to prevent future security 
breaches, what plans exist to mitigate the event of identity theft as a result of this breach 
or any other breach. We look forward to receiving your testimony, Mr. Secretary. 

In fairness to you, I offer a brief overview of what we have learned from these 
hearings, not to mention several years of painful experience in dealing with these issues 
and the V.A.'s bureaucracy. 

Almost without exception, experts from academic and leading businesses have told this 
committee that the complexities and threats characterizing information management 
today require the system to be centralized. They further state that the V.A.'s decentralized 
I.T. structure make it, quote, "practically impossible," end quote, to secure its data. 
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Time and again we have heard the same counsel: limit the number of data users; 
minimize the amount of data that must be exported for use; screen and train your people; 
and centralize the system and empower the chief information officer. 

While no one knows whether this compromise of data will produce cases of fraud, 
executives who have successfully recovered from large- scale data compromises have 
informed this committee that fast action is required. Communications with your 
customers is important when time is of the essence. Offer mitigating services quickly; 
coordinate with law enforcement agencies quickly. 

But the word "quick" does not seem to characterize anything about the V.A.'s response 
to this threat. Over the years, the GAO and the department's own I.G. have testified on 
these issues repeatedly, since 1997. They brought grave security deficiencies and 
vulnerabilities to the attention of V.A. officials, who in turn essentially have ignored 
them. 

Two immediate former department CIOs and a former associate deputy assistant 
secretary for cyber and information security informed this committee of impenetrable 
barriers thrown up by a turf-bound culture of the status quo that affects your middle and 
senior ranks of leadership. 

The department's general counsel of 2004, 1 believe gave the narrowest possible 
interpretation of your predecessor's decision of his efforts to centralize I.T. authorities 
and empower the CIO. 

Mr. Secretary, from this vantage point, I believe that at times you have not been well- 
served. You have inherited an unfortunate situation, and you're a military man yourself. I 
commend you on the acceptance of responsibility for a sorry state of affairs, but you are 
attempting to cut through the cultural resistance and fix it. 

I read the memo that you issued last night, and I congratulate you for that memo. I can 
almost envision the spirited debate that occurred at the table before you signed that 
memo. 

So I'd like to thank you for that. 

In your opening statement, I would also, though, like for you to inform this committee 
of any other data breaches that you have knowledge of, or in particular the data loss in 
Minneapolis. 

And I am distressed to have heard about the lost tape in Indianapolis, because your 
counsel was just this week before this committee, yet never informed this committee that 
you have a missing tape that contains over 16,538 legal cases. 

So I am pre-stressed this morning, to have learned this last night, very late. 

At this point, I'm going to yield to Mr. Filner for any opening statements he may have. 

FILNER: 

Thank you, Mr. Chairman. 

And I, again, as I have in the preceding five hearings, thank you for this real example 
of oversight that the committee should be following. 

Mr. Secretary, we are, I think, grateful about the announcement that you just made this 
morning. It lifts a heavy burden from the hearts of millions of veterans if it's true that 
there was no compromise. 

We congratulate law enforcement, and we can all breathe easier. 

I think everybody here is very grateful. 
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But it doesn't change some fundamental things, Mr. Secretary. You start off with a 
little stunt. You never told us that the data had been recovered. Typical for this last two 
months, you've been spinning, spinning, spinning; you've been doing P.R.; and you've 
done very little to deal with the issue that the veterans face with fear every day. 

It doesn't change the culture that we have had to find very clearly in these hearings and 
which Mr. Buyer has been talking about for seven years now. 

It doesn't change the lapses in your personnel chain that has kept information 
apparently from you, from the FBI, from us. 

It doesn't change the fact that your intentions seem to be to have blamed all of this on 
one guy who, as we will introduce today at the hearing, had permission to take his laptop, 
had permission to download the data, had help to download the data, had authorization to 
use that data, had taken every step. 

And yet, he's been accused — as far as I know, the only one in your whole operation 
that any operation has been taken against in a personnel way. He's been accused, as I 
understand, of gross negligence. He did everything he was supposed to do. He informed 
the cops in 52 minutes. Your guys didn't inform you for six or seven days. Who was 
grossly negligent there? 

So Mr. Secretary, we've got a lot to do. This memo that Mr. Buyer referred to is a good 
step, I take it. And I agree with you on that, because it's something you've been working 
for many years, and I know you feel some satisfaction in that. And this theft, which 
hopefully is not a compromise now, was the stimulus to take action on something that we 
all should have recognized the chairman's incisiveness on this, for many years. 

So we still must act — we still must act on that centralization; we still must act on the 
culture; we still must figure out why you decided to fire one person in this whole mess, 
and whether he was actually grossly negligent or other people were. 

Mr. Chairman, I ask for my full statement to be made a part of the record. 

BUYER: 

Hearing no objections, so ordered. 

If any other members have opening statements, you may submit them for the record. 

If you would like — I'll yield to the gentleman. 

STEARNS: 

Mr. Chairman, I just want to commend the secretary for his announcement this 
morning. I think it's breathtaking that he found the computer, and I commend he and his 
staff for doing it. 

(UNKNOWN) 

I don't think he found it. 

STEARNS: 

Well, at any rate, his announcement that at this point they have the computer. And I 
think all of us are just waiting to hear more what's happened. And I think perhaps the 
angels are on his side at this point, so I look forward to his comments. 

(UNKNOWN) 
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Mr. Chairman, I'm not going to make a statement, but I was not here. And when I 
walked in, so I hope that the secretary will begin anew, so I know exactly what Mr. 
Stearns is commending him for. 

Thank you. 

BUYER: 

We're going to give the secretary great latitude. And we have invited him to come 
back, after we have also done our due diligence in our investigations. And if you recall, 
we had him here immediately after this happened, but also the Senate wanted him, so we 
only had him for about an hour. 

So we're going to have the secretary here for as long as it takes this morning. And he 
has his undersecretaries are here. 

And Mr. Secretary, you are recognized. 

NICHOLSON: 

Thank you, Mr. Chairman and members of the committee. 

Coming in here, I was asked if I would make a brief statement to the press, because of 
the news that we have, the good news. 

And so I will start just by repeating that, by saying that it was confirmed to me by the 
deputy attorney general just right before coming up here that they have, indeed, in their — 
law enforcement has in their possession the subject laptop and hard drive. The serial 
numbers match. 

They are diligently conducting forensic analysis on it to see if they can tell whether it's 
been duplicated or utilized or entered in any way, and that work it not complete. 

However, they did say to me that there is reason to be optimistic about that, but that is 
not a certainty. 

I would like to again — I appreciate your kind words, Mr. Congressman. The only part 
I had in this recovery were my prayers to St. Anthony, I'll tell you. 

But the law enforcement community did a very, very good job in this. And to have 
gotten their hands on these two small items in the volume that there is circulating out 
there in that world is really extraordinary. And I'm very grateful, and I know you are. 

We'll just have to remain hopeful that they haven't been compromised. And as I said, 
there is reason to be optimistic. 

BUYER: 

And are they looking — they're doing the study, the forensics, right now? 

NICHOLSON: 

As we speak, yes, sir. 

BUYER: 

All right, thank you. 

NICHOLSON: 
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Again, I would like to thank you all for the opportunity to appear here today to follow 
up on what has occurred at our department. And my testimony, my opening statement 
will be in the context of this big problem, because I agree with Filner in many respects. 

This has brought to the light of day some real deficiencies in our department in the 
manner in which we've handled personal data and cyber-information. And if there's a 
redeeming part of this, and I believe there is, it is that we can really turn this place 
around. And I sincerely think we can make it into the gold standard for information 
security, like we have the gold standard for electronic health records. And that is our 
challenge — indeed, that's our mandate. 

But I will testify in the context that things are, as we thought they were last night or 
yesterday at this time. 

So again, this theft occurred on May 3rd, and it's been tragic on many levels. But I also 
— and this may now be moot — but there was a perception on the part of many members 
of the public that the data was lost to the V.A. It was never lost. These were copies of that 
data that were lost. 

And I also want to highlight the fact to you, the members of this Oversight Committee, 
that while we've been addressing this issue, as you would imagine, double time, we also 
have been attending to the business of the V.A., which is our core mission, which is 
caring for the health needs and benefits of our veterans and of course the burials. 

I would point out to you that we have over a million veterans come to us every week 
for health care provision, and we're taking darn good care of them. 

Since this theft occurred and has come to my attention, I have taken many proactive 
steps on many fronts. But all of them have been guided by one question — the answer to 
one question, which is, what is going to be the best for the veterans? 

And this committee and its various subcommittees have had at least one hearing a 
week since this theft became public, mostly focused on the elements of the theft and its 
aftermath. 

Other committees have held hearings on this, and we've provided briefings for various 
members of the Congress and their staff. 

So for that reason, much of what I say will be familiar to you, I know. But I would like 
to organize my presentation into a few basic points, and that is, what have we done, what 
are we doing, what needs to be done, and how will we measure progress on these fronts? 

And again our goal is on behalf of the veterans to make the V.A. into a first-rate 
organization in the realm of cyber and information security, just as we've done as an 
integrated health care provider. 

Following the theft of this data at the employee's home, we determined or attempted to 
determine the scope of the loss. And we retained forensic experts. 

And once the magnitude of this was more fully understood, we began working nonstop 
to see what steps are appropriate now, going forward, to protect our veterans. 

NICHOLSON: 

I directed a series of personnel changes in the Office of Policy and Planning, where the 
breach occurred — the two senior people in that department, as well as the person who 
had custodial responsibility for this data. 

I retained an outside independent adviser to me. Rick Romley, the former prosecutor 
and district attorney in Arizona. I have expedited cyber-security awareness training and 
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privacy training for all V.A. employees — directed that V.A. facilities across the country 
observe Security Awareness Week this week. And it's focusing on ensuring that security 
is an integral part of our workplace culture, ethic. 

The V.A.'s initial response to this loss was to create a call center with the capacity to 
handle 260,000 calls, and we've reprogrammed $25 million to do that. To date, we have 
spent $9.3 million in that call center, and we've had a total of 212,000 calls. 

Another thing that we did is we did a mailing to all of the 17.5 million people for 
whom we had addresses by matching our data with the IRS to come up with those 
addresses. That mailing costs $7 million. 

As you well know, we also requested and got the requisite policy approvals to seek 
from you the ability to provide security monitoring for the affected veterans, 
servicemembers and family members. And I have quite a bit on that, and I think that I 
will demure on that pending what questions that you might have on that. You know, we 
hope and pray that that's academic, but we don't know that as I sit here. 

Let me talk about some specific actions that are going to — that are and will occur at 
the V.A. And, again, one of the redemptive parts of this, I think, is the absolute wake -up 
call, lightning rod, to make changes in this organization, some of which I hope will 
become models for other agencies that I know have some similar complacency and laxity 
that we have had on information security. 

I've directed that every laptop computer in the V.A. undergo a security review to 
ensure that all security and virus software is current, including the immediate removal of 
any unauthorized information or software, and the application of appropriate encryption 
programs. But because of the pending lawsuits, this directive has been placed on hold 
until we obtain further guidance from the courts. 

In addition, we have been in discussions with corporations which provide unique data 
breach analysis to see if the data has been exploited. And we anticipate that we will enter 
into a contract for that service shortly. And I would add here parenthetically that I think 
we should do that anyway, regardless of what the outcome of what we are now hoping 
for, based on today's news is. 

This is not extremely expensive. It's a new technology. But they can tell you whether a 
body of data is being used — exploited by people who do this, who steal identity and 
exploit it. 

We're making an effort to be responsive to the concerns of you, Mr. Chairman, and this 
committee by directing us to provide detection, protection and insurance (ph), and that, I 
would say, is there. It's pending further information. 

I've directed that the V.A. conduct an inventory of all positions requiring access to 
sensitive V.A. data to ensure that only those employees who need such access to do their 
jobs have it, and that they have the appropriate background checks. 

And if you could think of a model for this — it's one that you're all familiar with — 
which is the — having a security clearance for having access to classified information and 
having a need to know the information. This, unfortunately, has just not been the standard 
in our organization. 

And as you've heard me say before, the person who had custody of this data had not 
had a background check in 32 years — as an example. 
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We have been, in an effort to conduct this inventory of these positions — and then we 
are working on a program for getting these background checks in place, which is no small 
task given the time delays there are in those, and it's costly. 

We're doing a major I.T. reorganization within the V.A. And it's true, as the chairman 
and the ranking member have said, that the V.A. has been very highly decentralized — 
and this is a huge organization that's spread all over the world, really, from Togos (ph), 
Maine, to Manila in the Philippines. 

And some of that decentralization has been good. It's kept the I.T. closer to the 
ultimate user. And I would say that it's also been very, very valuable and important in the 
development of the highly vaulted (ph) electronic medical records that we have that lead - 
- 1 was at the World Forum of the American Enterprise Institute recently where they were 
universally praising the V.A. for what it's been able to accomplish in this front. 

But it's also — this decentralization has also led to a system that is very, very complex, 
frequently incompatible and very difficult to manage. And that's become clear to me, and 
it did shortly after I came into this job 16 months ago. 

So after reviewing the recommendations of a consultant who had been studying the 
I.T. situation at the V.A. after the ill-fated CoreFLS endeavor in Florida in October of '05 
— or that's when it — that's when I made the decision and signed a memorandum directing 
the reorganization of the I.T. within the V.A. That was last October. 

And pursuant to that, now more than 4,600 I.T. professionals engaged in operations 
and maintenance of the department's I.T. infrastructure, plus 560 unencumbered positions 
have been detailed to the Office of Information and Technology under the direction of the 
chief information officer. 

As of the beginning of the new fiscal year coming up, on October 1, those who have 
been detailed will become permanently there, establishing thereby a new career field 
within OIT, giving collective bargaining agreements with... 

(CROSSTALK) 

ACTING CHAIRMAN: 

Excuse me. Excuse me, Mr. Secretary... 

NICHOLSON: 

... the terms and conditions. 

ACTING CHAIRMAN: 

Mr. Secretary, if you could hold your spot. Put a little note there in your statement — 
hold that spot. I've been informed we have three votes. And we have a 15-minute vote on 
the Poe amendment, a two-minute vote on Hefley, and then a final passage. 

So we're going to stand in recess for approximately 25 minutes. 

And, Mr. Secretary, given your announcement, I'm sure that you're going to be asked 
questions from the press. You have the permission of the committee to speak with the 
press and to conduct an interview in this room. 

The committee stands in recess. 

(RECESS) 



